Project

General

Profile

Actions
Copy link

Bug #58369

closed

Extbase query cache does not respect current fe_group

Added by Jan Kiesewetter about 10 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Felix Oertel
Category:
Extbase
Target version:
next-patchlevel
Start date:
2014-04-30
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

If a fe user requests extbase objects the query cache is build with settings of the current users group:
e.g.

...
AND (tx_productdownloads_domain_model_document.fe_group='' OR tx_productdownloads_domain_model_document.fe_group IS NULL OR tx_productdownloads_domain_model_document.fe_group='0' OR FIND_IN_SET('0',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('-2',tx_productdownloads_domain_model_document.fe_group) OR FIND_IN_SET('2',tx_productdownloads_domain_model_document.fe_group))
...

If next time a user NOT in that group (2) requests the objects the cached query is executed and he gets the same objects, also the access restricted.

This is a security problem because the query cache is enabled by default.

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Task #58655: Add tests for extbase query cache current fe_groupClosed2014-05-09

Actions
Actions
Copy link
 #1

Updated by Helmut Hummel almost 10 years ago

  • Status changed from New to Accepted
  • Target version set to next-patchlevel
  • Is Regression changed from No to Yes

I consider this a critical issue which needs to be fixed for the next release

Actions
Copy link
 #2

Updated by Gerrit Code Review almost 10 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #3

Updated by Gerrit Code Review almost 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #4

Updated by Gerrit Code Review almost 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #5

Updated by Gerrit Code Review almost 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #6

Updated by Gerrit Code Review almost 10 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #7

Updated by Gerrit Code Review almost 10 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29932

Actions
Copy link
 #8

Updated by Markus Klein almost 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link
 #9

Updated by Benni Mack over 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF